Solved

MySQL through ipsec tunnel

Posted on 2014-03-25
11
746 Views
Last Modified: 2014-04-13
I have two Red Hat Enterprise Linux 6 systems that are both on the same network:

HOST1 - Snort Sensor - 192.168.1.5
HOST2 - MySQL Database Server - 192.168.1.10

I need to make the Snort sensor write to the database via an ipsec tunnel.  I have the tunnel created using openswan using these instructions: http://www.putorius.net/2012/08/creating-end-to-end-ipsec-tunnel.html

Now I am wondering how do I force all MySQL traffic through the tunnel?  Any help would be appreciated.
0
Comment
Question by:savone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39955033
You would use the are the IPs referenced on the 192.168.1.x the IP used in the IPSec tunnel or both locations use the same LAN segment?
Snort IPA for IPSec
Mysql DB server IPB for IPSec.

In your DB connection setting on the snort box you will use IPB and not the 192.168.1.10 IP.

You however have to make sure when granting the snort user reference IPA as the host from which that user will be connecting.
0
 
LVL 23

Author Comment

by:savone
ID: 39957817
So the IP addresses in the conf files should not be their real IP addresses, but rather a new network I made up?
0
 
LVL 78

Expert Comment

by:arnold
ID: 39957861
Are the two systems on the same segment and are accessible without a VPN?

If the two systems are at different locations that are using the same IP segments, IP overlay as part of the IPSec policy will be required.
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 23

Author Comment

by:savone
ID: 39957989
No the systems are on the same network segment and CAN communicate without a VPN.
0
 
LVL 78

Expert Comment

by:arnold
ID: 39958276
Then what is the purpose for the VPN?

Are you merely looking to encrypt the connection?

Mysql 5.1 and newer have the features to encrypt connections.
http://dev.mysql.com/doc/refman/5.1/en/ssl-connections.html
0
 
LVL 23

Author Comment

by:savone
ID: 39958517
Yes, I need to separate the traffic and they (management) want me to do it with ipsec tunnels.
0
 
LVL 78

Expert Comment

by:arnold
ID: 39959000
The IPs in the VPN configuration will the current IPs of each /32 defining only IP1 to IP2 traffic to match the VPN pattern and only this traffic will flow through the VPN.  

If the concern deals with observance of data, using SSL encryption of the mysql connection might be an alternative.

The only adjustment to the instructions you would replace 10.0.0.1 with 192.168.1.4
And 10.0.0.40 with 192.168.1.15.
0
 
LVL 23

Author Comment

by:savone
ID: 39959109
@arnold, why should I use 192.168.1.4 and 192.168.1.15?  Those are not the IP addresses of my machines.

Also, I have it set up as you are suggestion, but MySQL traffic is still using the default route and going around the ipsec tunnel.
0
 
LVL 78

Expert Comment

by:arnold
ID: 39959329
Oops, I checked which IPs to use prior to starting to write the response,
you would use the 192.168.1.5 and the 192.168.1.10

Since you want your snort box to access the mysql server, you should configure the openswan such that the client on the snort box initiate the connection.
0
 
LVL 23

Author Comment

by:savone
ID: 39960698
@arnold, we are back to square one.  The tunnel is up, but the MySQL data is still being send over the regular network and not the ipsec tunnel.
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 39960711
Check the IP xfrm policy to see whether it has the definition to route traffic between the two hosts via the tunnel.

During your configuration you might have missed the step that determines whether the data should enter the IPSec tunnel or not.

See the guide and double check every referenced configuration/setting.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question